Zum Inhalt

RITA Real Intelligence Threat Analytics Cheat Sheet

generieren

Überblick

RITA (Real Intelligence Threat Analytics) ist ein Open-Source-Framework für die Netzwerk-Verkehrsanalyse, das Zeek (früher Bro) loggt und erkennt Indikatoren von Kompromissen durch statistische Analyse. Es identifiziert Beaconing-Verhalten, DNS-Tunneling, lange Verbindungen und andere verdächtige Netzwerkaktivitäten, die häufig mit fortgeschrittenen persistenten Bedrohungen (APTs) verbunden sind.

ZEIT Warnung: Dieses Tool ist nur für eine autorisierte Netzwerküberwachung und Sicherheitsanalyse bestimmt. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Analyse des Netzwerkverkehrs haben.

Installation

Ubuntu/Debian Installation

```bash

Add MongoDB repository

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc|sudo apt-key add - echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse"|sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list

Update package list

sudo apt update

Install MongoDB

sudo apt install -y mongodb-org

Start MongoDB service

sudo systemctl start mongod sudo systemctl enable mongod

Install RITA

wget https://github.com/activecm/rita/releases/download/v4.8.0/rita chmod +x rita sudo mv rita /usr/local/bin/

Verify installation

rita --version ```_

Docker Installation

```bash

Clone RITA repository

git clone https://github.com/activecm/rita.git cd rita

Build Docker containers

docker-compose up -d

Run RITA in container

docker-compose exec rita rita --version ```_

Manuelle Installation

```bash

Install Go (if not already installed)

wget https://golang.org/dl/go1.19.linux-amd64.tar.gz sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz export PATH=$PATH:/usr/local/go/bin

Clone and build RITA

git clone https://github.com/activecm/rita.git cd rita make install

Copy binary to system path

sudo cp rita /usr/local/bin/ ```_

Konfiguration

Erster Setup

```bash

Create RITA configuration directory

sudo mkdir -p /etc/rita

Generate default configuration

rita test-config

Copy configuration file

sudo cp etc/rita.yaml /etc/rita/config.yaml

Edit configuration

sudo nano /etc/rita/config.yaml ```_

Konfiguration Dateistruktur

```yaml

/etc/rita/config.yaml

MongoDB: ConnectionString: mongodb://localhost:27017 AuthenticationMechanism: "" SocketTimeout: 2 TLS: Enable: false VerifyCertificate: false CAFile: ""

LogLevel: 2 LogPath: "/var/lib/rita/logs"

Rolling: DefaultChunks: 24

Filtering: AlwaysInclude: [] NeverInclude: [] InternalSubnets: []

UserInterface: DefaultResultLimit: 1000

Blacklisted: feodo.abuse.ch: true malwaredomainlist.com: true

BeaconSNI: DefaultConnectionThresh: 20

DNS: DefaultConnectionThresh: 20

Strobe: ConnectionLimit: 250000 ```_

Datenbankkonfiguration

```bash

Test MongoDB connection

mongo --eval "db.runCommand(\\{connectionStatus : 1\\})"

Create RITA database user (optional)

mongo admin --eval " db.createUser(\\{ user: 'rita_user', pwd: 'secure_password', roles: [ \\{role: 'readWrite', db: 'rita'\\}, \\{role: 'readWrite', db: 'MetaDatabase'\\} ] \\}) "

Update config for authentication

sudo nano /etc/rita/config.yaml

Add authentication details to MongoDB section

```_

Basisnutzung

Befehlsstruktur

```bash

Basic syntax

rita [command] [options]

Get help

rita --help rita [command] --help

Check version

rita --version ```_

Verfügbare Befehle

| | | Command | Description | | | | --- | --- | | | | import | Import Zeek logs into RITA database | | | | | | analyze | Analyze imported data for threats | | | | | | show-databases | List available databases | | | | | | show-beacons | Display beacon analysis results | | | | | | show-strobes | Display strobe analysis results | | | | | | show-dns | Display DNS analysis results | | | | | | show-blacklisted | Display blacklisted connections | | | | | | show-useragents | Display user agent analysis | | | | | | show-long-connections | Display long connection analysis | | | | | | delete | Delete database | | | | | | test-config | Test configuration file | | |

Datenimport und -analyse

Zeek Logs importieren

```bash

Import single log directory

rita import /path/to/zeek/logs dataset_name

Import with specific time range

rita import --rolling /path/to/zeek/logs dataset_name

Import compressed logs

rita import /path/to/zeek/logs.tar.gz dataset_name

Import with custom chunk size

rita import --chunk-size 1000000 /path/to/zeek/logs dataset_name

Import and analyze immediately

rita import --analyze /path/to/zeek/logs dataset_name ```_

Laufende Analyse

```bash

Analyze imported dataset

rita analyze dataset_name

Analyze with custom parameters

rita analyze --threads 4 dataset_name

Analyze specific modules only

rita analyze --beacon --dns dataset_name

Force re-analysis

rita analyze --force dataset_name ```_

Datenbankverwaltung

```bash

List all databases

rita show-databases

Show database information

rita show-databases --details

Delete database

rita delete dataset_name

Delete multiple databases

rita delete dataset1 dataset2 dataset3 ```_

Threat Detection Module

Beacon-Detektion

```bash

Show beacon analysis results

rita show-beacons dataset_name

Show top beacons with details

rita show-beacons --limit 20 dataset_name

Show beacons for specific source

rita show-beacons --src 192.168.1.100 dataset_name

Export beacon results to CSV

rita show-beacons --csv dataset_name > beacons.csv

Show beacon details with human-readable format

rita show-beacons --human-readable dataset_name ```_

DNS-Analyse

```bash

Show DNS analysis results

rita show-dns dataset_name

Show DNS tunneling indicators

rita show-dns --limit 50 dataset_name

Show DNS for specific domain

rita show-dns --domain suspicious.com dataset_name

Export DNS results

rita show-dns --csv dataset_name > dns_analysis.csv

Show DNS with subdomain analysis

rita show-dns --subdomain-analysis dataset_name ```_

Lange Verbindungsanalyse

```bash

Show long connections

rita show-long-connections dataset_name

Show connections longer than specific duration

rita show-long-connections --duration 3600 dataset_name

Show long connections for specific host

rita show-long-connections --src 192.168.1.100 dataset_name

Export long connections

rita show-long-connections --csv dataset_name > long_connections.csv ```_

Strobe Erkennung

```bash

Show strobe analysis (port scanning)

rita show-strobes dataset_name

Show strobes with specific threshold

rita show-strobes --limit 10 dataset_name

Show strobes for specific source

rita show-strobes --src 192.168.1.100 dataset_name

Export strobe results

rita show-strobes --csv dataset_name > strobes.csv ```_

Blacklistd Connections

```bash

Show blacklisted connections

rita show-blacklisted dataset_name

Show blacklisted with details

rita show-blacklisted --details dataset_name

Show blacklisted for specific source

rita show-blacklisted --src 192.168.1.100 dataset_name

Export blacklisted connections

rita show-blacklisted --csv dataset_name > blacklisted.csv ```_

Analyse des Benutzers

```bash

Show user agent analysis

rita show-useragents dataset_name

Show rare user agents

rita show-useragents --rare dataset_name

Show user agents for specific host

rita show-useragents --src 192.168.1.100 dataset_name

Export user agent analysis

rita show-useragents --csv dataset_name > useragents.csv ```_

Erweiterte Analysetechniken

Benutzerdefinierte Filterung

```bash

Analyze specific IP ranges

rita import --filter-internal 192.168.0.0/16,10.0.0.0/8 /path/to/logs dataset_name

Exclude specific networks

rita import --filter-external 8.8.8.8/32 /path/to/logs dataset_name

Custom time window analysis

rita import --start-time "2023-01-01 00:00:00" --end-time "2023-01-02 00:00:00" /path/to/logs dataset_name ```_

Threat Hunting Quers

```bash

Find potential C2 beacons with high confidence

rita show-beacons --score-threshold 0.8 dataset_name

Identify DNS tunneling attempts

rita show-dns --query-length-threshold 50 dataset_name

Find long-duration connections (potential persistence)

rita show-long-connections --duration 7200 dataset_name

Detect port scanning activity

rita show-strobes --connection-threshold 100 dataset_name ```_

Kreuzdatensatzanalyse

```bash

Compare multiple datasets

rita show-beacons dataset1 > beacons1.csv rita show-beacons dataset2 > beacons2.csv

Find common indicators across datasets

| | comm -12 <(cut -d',' -f1 beacons1.csv | sort) <(cut -d',' -f1 beacons2.csv | sort) | |

Analyze trends over time

for dataset in dataset_day1 dataset_day2 dataset_day3; do echo "=== $dataset ===" rita show-beacons --limit 5 $dataset done ```_

Automatisierung und Schrift

Automatisierte Analyse Pipeline

```bash

!/bin/bash

LOG_DIR="/var/log/zeek" DATASET_PREFIX="daily_analysis" RETENTION_DAYS=30

Function to process daily logs

process_daily_logs() \\{ local date=\(1 local dataset_name="\)\\{DATASET_PREFIX\\}_\(\\\\{date\\\\}" local log_path="\)\\{LOG_DIR\\}/$\\{date\\}"

if [ -d "$log_path" ]; then
    echo "[+] Processing logs for $date"

    # Import logs
    rita import "$log_path" "$dataset_name"

    # Run analysis
    rita analyze "$dataset_name"

    # Generate reports
    generate_reports "$dataset_name" "$date"

    echo "[+] Analysis complete for $date"
else
    echo "[-] No logs found for $date"
fi

\\}

Function to generate reports

generate_reports() \\{ local dataset=\(1 local date=\)2 local report_dir="/var/lib/rita/reports/$\\{date\\}"

mkdir -p "$report_dir"

# Generate beacon report
rita show-beacons --csv "$dataset" > "$\\\\{report_dir\\\\}/beacons.csv"

# Generate DNS report
rita show-dns --csv "$dataset" > "$\\\\{report_dir\\\\}/dns.csv"

# Generate long connections report
rita show-long-connections --csv "$dataset" > "$\\\\{report_dir\\\\}/long_connections.csv"

# Generate strobe report
rita show-strobes --csv "$dataset" > "$\\\\{report_dir\\\\}/strobes.csv"

# Generate blacklisted report
rita show-blacklisted --csv "$dataset" > "$\\\\{report_dir\\\\}/blacklisted.csv"

# Create summary report
create_summary_report "$dataset" "$report_dir"

\\}

Function to create summary report

create_summary_report() \\{ local dataset=\(1 local report_dir=\)2 local summary_file="$\\{report_dir\\}/summary.txt"

echo "RITA Analysis Summary for $dataset" > "$summary_file"
echo "Generated: $(date)" >> "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"

# Count findings
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
local dns_count=$(rita show-dns "$dataset"|wc -l)
local long_conn_count=$(rita show-long-connections "$dataset"|wc -l)
local strobe_count=$(rita show-strobes "$dataset"|wc -l)
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)

echo "Findings Summary:" >> "$summary_file"
echo "- Beacons: $beacon_count" >> "$summary_file"
echo "- DNS Anomalies: $dns_count" >> "$summary_file"
echo "- Long Connections: $long_conn_count" >> "$summary_file"
echo "- Strobes: $strobe_count" >> "$summary_file"
echo "- Blacklisted: $blacklisted_count" >> "$summary_file"
echo "" >> "$summary_file"

# Top findings
echo "Top 5 Beacons:" >> "$summary_file"
rita show-beacons --limit 5 "$dataset" >> "$summary_file"
echo "" >> "$summary_file"

echo "Top 5 DNS Anomalies:" >> "$summary_file"
rita show-dns --limit 5 "$dataset" >> "$summary_file"

\\}

Cleanup old datasets

cleanup_old_datasets() \\{ local cutoff_date=\((date -d "\)RETENTION_DAYS days ago" +%Y-%m-%d)

| | rita show-databases | grep "\(DATASET_PREFIX" | while read dataset; do | | local dataset_date=\)(echo "\(dataset"|sed "s/\)\\{DATASET_PREFIX\\}_//") if [[ "\(dataset_date" ``< "\)cutoff_date" ]]; then echo "[+] Deleting old dataset: \(dataset" rita delete "\)dataset" fi done \}

Main execution

DATE=\(\\\{1:-\)(date -d "yesterday" +%Y-%m-%d)\} process_daily_logs "$DATE" cleanup_old_datasets ```_

Echtzeit Monitoring Script

```bash

!/bin/bash

ZEEK_LOG_DIR="/opt/zeek/logs/current" RITA_DATASET="realtime_$(date +%Y%m%d_%H%M%S)" CHECK_INTERVAL=300 # 5 minutes ALERT_THRESHOLD_BEACONS=10 ALERT_THRESHOLD_DNS=20

Function to check for new threats

check_threats() \{ local dataset=$1

# Check beacon count
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
if [ "$beacon_count" -gt "$ALERT_THRESHOLD_BEACONS" ]; then
    send_alert "High beacon activity detected: $beacon_count beacons found"
    rita show-beacons --limit 10 "$dataset"|mail -s "RITA Alert: Beacon Activity" security@company.com
fi

# Check DNS anomalies
local dns_count=$(rita show-dns "$dataset"|wc -l)
if [ "$dns_count" -gt "$ALERT_THRESHOLD_DNS" ]; then
    send_alert "High DNS anomaly activity: $dns_count anomalies found"
    rita show-dns --limit 10 "$dataset"|mail -s "RITA Alert: DNS Anomalies" security@company.com
fi

# Check for blacklisted connections
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
if [ "$blacklisted_count" -gt 0 ]; then
    send_alert "Blacklisted connections detected: $blacklisted_count connections"
    rita show-blacklisted "$dataset"|mail -s "RITA Alert: Blacklisted Connections" security@company.com
fi

\}

Function to send alerts

send_alert() \{ local message=$1 echo "[ALERT] $(date): $message" logger "RITA_ALERT: $message"

# Send to SIEM or alerting system
curl -X POST -H "Content-Type: application/json" \
     -d "\\\{\"alert\":\"$message\",\"timestamp\":\"$(date -Iseconds)\"\\\}" \
     http://siem.company.com/api/alerts

\}

Main monitoring loop

echo "[+] Starting RITA real-time monitoring" echo "[+] Dataset: $RITA_DATASET" echo "[+] Check interval: $CHECK_INTERVAL seconds"

while true; do echo "[+] $(date): Importing latest logs..."

# Import latest logs
rita import "$ZEEK_LOG_DIR" "$RITA_DATASET"

# Run analysis
rita analyze "$RITA_DATASET"

# Check for threats
check_threats "$RITA_DATASET"

echo "[+] $(date): Check complete, sleeping for $CHECK_INTERVAL seconds"
sleep "$CHECK_INTERVAL"

done ```_

Threat Intelligence Integration

```bash

!/bin/bash

Function to update threat intelligence feeds

update_threat_feeds() \{ local config_file="/etc/rita/config.yaml" local temp_config="/tmp/rita_config_temp.yaml"

echo "[+] Updating threat intelligence feeds..."

# Download latest IOCs
wget -q -O /tmp/feodo_tracker.txt "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
wget -q -O /tmp/malware_domains.txt "http://www.malwaredomainlist.com/hostslist/hosts.txt"

# Update RITA configuration with new feeds
cp "$config_file" "$temp_config"

# Add new blacklisted domains/IPs
python3 << EOF

import yaml import requests

Load current config

with open('$temp_config', 'r') as f: config = yaml.safe_load(f)

Update blacklisted section

if 'Blacklisted' not in config: config['Blacklisted'] = \{\}

Add Feodo tracker IPs

with open('/tmp/feodo_tracker.txt', 'r') as f: for line in f: ip = line.strip() if ip and not ip.startswith('#'): config['Blacklisted'][ip] = True

Save updated config

with open('$temp_config', 'w') as f: yaml.dump(config, f, default_flow_style=False) EOF

# Backup original and update
cp "$config_file" "$\\\{config_file\\\}.backup.$(date +%Y%m%d)"
sudo cp "$temp_config" "$config_file"

echo "[+] Threat intelligence feeds updated"

\}

Function to correlate with external threat intelligence

correlate_with_ti() \{ local dataset=$1 local output_dir="/var/lib/rita/ti_correlation"

mkdir -p "$output_dir"

# Extract unique IPs from RITA results

| | rita show-beacons --csv "\(dataset" | cut -d',' -f2 | sort -u >`` "\)\\{output_dir\\}/beacon_ips.txt" | | | | rita show-dns --csv "\(dataset" | cut -d',' -f2 | sort -u > "\)\\{output_dir\\}/dns_domains.txt" | |

# Check against VirusTotal (requires API key)
if [ ! -z "$VT_API_KEY" ]; then
    echo "[+] Checking IPs against VirusTotal..."
    while read ip; do
        if [ ! -z "$ip" ]; then
            curl -s -H "x-apikey: $VT_API_KEY" \
                 "https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=$VT_API_KEY&ip;=$ip" \
                 >> "$\\\\{output_dir\\\\}/vt_ip_results.json"
            sleep 1  # Rate limiting
        fi
    done < "$\\\\{output_dir\\\\}/beacon_ips.txt"
fi

# Check against AbuseIPDB (requires API key)
if [ ! -z "$ABUSEIPDB_API_KEY" ]; then
    echo "[+] Checking IPs against AbuseIPDB..."
    while read ip; do
        if [ ! -z "$ip" ]; then
            curl -s -H "Key: $ABUSEIPDB_API_KEY" \
                 -H "Accept: application/json" \
                 "https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays;=90" \
                 >> "$\\\\{output_dir\\\\}/abuseipdb_results.json"
            sleep 1  # Rate limiting
        fi
    done ``< "$\\\{output_dir\\\}/beacon_ips.txt"
fi

echo "[+] Threat intelligence correlation complete"

\}

Update feeds and run correlation

update_threat_feeds correlate_with_ti "$1" ```_

Integration mit anderen Tools

Zeek Integration

```bash

Configure Zeek to output logs in RITA-compatible format

/opt/zeek/share/zeek/site/local.zeek

@load base/protocols/conn @load base/protocols/dns @load base/protocols/http @load base/protocols/ssl

Enable JSON output for better RITA compatibility

@load policy/tuning/json-logs.zeek

Custom log rotation for RITA

redef Log::default_rotation_interval = 1hr; redef Log::default_rotation_postprocessor = Log::run_rotation_postprocessor_cmd; redef Log::rotation_postprocessor_cmd = "gzip"; ```_

ELK Stack Integration

```bash

Logstash configuration for RITA results

/etc/logstash/conf.d/rita.conf

input \{ file \{ path =>`` "/var/lib/rita/reports/*/beacons.csv" start_position => "beginning" sincedb_path => "/dev/null" codec => "plain" type => "rita_beacons" \\}

file \\{ path => "/var/lib/rita/reports/*/dns.csv" start_position => "beginning" sincedb_path => "/dev/null" codec => "plain" type => "rita_dns" \\} \\}

filter \\{ if [type] == "rita_beacons" \\{ csv \\{ columns => ["source", "destination", "connections", "avg_bytes", "score"] separator => "," \\}

mutate \\\\{
  convert => \\\\{
    "connections" => "integer"
    "avg_bytes" => "integer"
    "score" => "float"
  \\\\}
\\\\}

\\}

if [type] == "rita_dns" \\{ csv \\{ columns => ["query", "source", "query_count", "unique_subdomains"] separator => "," \\}

mutate \\\\{
  convert => \\\\{
    "query_count" => "integer"
    "unique_subdomains" => "integer"
  \\\\}
\\\\}

\\} \\}

output \\{ elasticsearch \\{ hosts => ["localhost:9200"] index => "rita-%\\{type\\}-%\\{+YYYY.MM.dd\\}" \\} \\} ```_

Integration von Splunk

```bash

Splunk inputs.conf for RITA data

[monitor:///var/lib/rita/reports/*/beacons.csv] disabled = false sourcetype = rita:beacons index = security

[monitor:///var/lib/rita/reports/*/dns.csv] disabled = false sourcetype = rita:dns index = security

Splunk props.conf for RITA data

[rita:beacons] SHOULD_LINEMERGE = false FIELD_DELIMITER = , FIELD_NAMES = source,destination,connections,avg_bytes,score

[rita:dns] SHOULD_LINEMERGE = false FIELD_DELIMITER = , FIELD_NAMES = query,source,query_count,unique_subdomains ```_

Leistungsoptimierung

Datenbankoptimierung

```bash

MongoDB optimization for RITA

/etc/mongod.conf

storage: dbPath: /var/lib/mongodb journal: enabled: true wiredTiger: engineConfig: cacheSizeGB: 8 # Adjust based on available RAM

systemLog: destination: file logAppend: true path: /var/log/mongodb/mongod.log

net: port: 27017 bindIp: 127.0.0.1

Create indexes for better performance

mongo rita --eval " db.conn.createIndex(\\{src: 1, dst: 1\\}); db.dns.createIndex(\\{query: 1, src: 1\\}); db.http.createIndex(\\{src: 1, dst: 1\\}); " ```_

Ressourcenmanagement

```bash

Optimize RITA for large datasets

export GOMAXPROCS=8 # Set to number of CPU cores export GOGC=100 # Garbage collection percentage

Run analysis with custom memory settings

rita analyze --threads 8 --chunk-size 500000 dataset_name

Monitor resource usage during analysis

top -p $(pgrep rita) iostat -x 1 ```_

Fehlerbehebung

Gemeinsame Themen

```bash

MongoDB connection issues

sudo systemctl status mongod sudo systemctl restart mongod

Check MongoDB logs

sudo tail -f /var/log/mongodb/mongod.log

Test RITA configuration

rita test-config

Check RITA logs

tail -f /var/lib/rita/logs/rita.log

Verify Zeek log format

head -n 5 /path/to/zeek/logs/conn.log ```_

Debug Mode

```bash

Enable debug logging

rita --debug import /path/to/logs dataset_name

Verbose analysis

rita --verbose analyze dataset_name

Check database contents

mongo rita --eval "db.stats()" mongo rita --eval "db.conn.count()" ```_

Leistungsfragen

```bash

Check database size

mongo rita --eval "db.stats().dataSize"

Optimize database

mongo rita --eval "db.runCommand(\\{compact: 'conn'\\})"

Check system resources

free -h df -h iostat -x 1 5 ```_

Best Practices

Datenverwaltung

  1. Regular cleanup: Entfernen Sie alte Datensätze, um Speicherplatz zu verwalten
  2. Index Optimierung: angemessene Mongo DB-Index
  3. Log Rotation: Durchführung richtig Zeek log Rotation
  4. **Backup-Strategie*: Regelmäßige Sicherung von RITA-Datenbanken
  5. Monitoring: Systemressourcen während der Analyse überwachen

Analysestrategie

```bash

Phased analysis approach

Phase 1: Import and basic analysis

rita import /path/to/logs dataset_name rita analyze dataset_name

Phase 2: Detailed threat hunting

rita show-beacons --score-threshold 0.7 dataset_name rita show-dns --query-length-threshold 40 dataset_name

Phase 3: Correlation and investigation

Correlate findings with external threat intelligence

Investigate high-confidence indicators

```_

Operationelle Sicherheit

```bash

Secure RITA deployment

1. Restrict database access

sudo ufw allow from 127.0.0.1 to any port 27017

2. Encrypt sensitive data

Use MongoDB encryption at rest

3. Secure log storage

sudo chmod 750 /var/lib/rita sudo chown rita:rita /var/lib/rita

4. Regular updates

sudo apt update && sudo apt upgrade rita ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von RITA. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Berechtigung haben, bevor Sie die Netzwerk-Verkehrsanalyse und -überwachung durchführen. *